﻿using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using EasyHook;
using System.Runtime.InteropServices;


namespace MalMonInject
{
    public class RegActivities:ActivityMonitor
    {
        LocalHook RegCreateKeyHook;
        LocalHook RegDeleteKeyHook;

        public RegActivities(MalMonInject Injector):base(Injector)
        {
        }

        public override void InstallHook()
        {
            RegCreateKeyHook = LocalHook.Create(
                   LocalHook.GetProcAddress("Advapi32.dll", "RegCreateKeyW"),
                   new DRegCreateKeyW(RegCreateKeyW_Hooked),
                   this.Injector);
            RegCreateKeyHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });

            RegDeleteKeyHook = LocalHook.Create(
                   LocalHook.GetProcAddress("Advapi32.dll", "RegDeleteKeyW"),
                   new DRegDeleteKeyW(RegDeleteKeyW_Hooked),
                   this.Injector);
            RegDeleteKeyHook.ThreadACL.SetExclusiveACL(new Int32[] { 0 });

        }


        /*----code generated by script CodeGenerator.py----*/
        /*----RegCreateKeyW----*/
        [System.Runtime.InteropServices.StructLayoutAttribute(System.Runtime.InteropServices.LayoutKind.Sequential)]
        public struct HKEY__
        {

            /// int
            public int unused;
        }
        [UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)]
        delegate int DRegCreateKeyW(IntPtr hKey, [MarshalAsAttribute(UnmanagedType.LPWStr)] string lpSubKey, ref IntPtr phkResult);
        [DllImportAttribute("advapi32.dll", EntryPoint = "RegCreateKeyW")]
        static extern int RegCreateKeyW([InAttribute()] IntPtr hKey, [InAttribute()] [MarshalAsAttribute(UnmanagedType.LPWStr)] string lpSubKey, ref IntPtr phkResult);

        static int RegCreateKeyW_Hooked(IntPtr hKey, [MarshalAsAttribute(UnmanagedType.LPWStr)] string lpSubKey, ref IntPtr phkResult)
        {
            try
            {
                MalMonInject This = (MalMonInject)HookRuntimeInfo.Callback;

                lock (This.Queue)
                {
                    //Time + Pid + Tid + Api + Content
                    This.Queue.Push(ActivityMonitor.FormatMessage(DateTime.Now, "RegCreateKeyW", ""));
                }
            }
            catch
            {
            }

            return RegCreateKeyW(hKey, lpSubKey, ref phkResult);
        }
        /*----code generated by script CodeGenerator.py----*/
        /*----RegDeleteKeyW----*/
        [UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode, SetLastError = true)]
        delegate int DRegDeleteKeyW(IntPtr hKey, [MarshalAsAttribute(UnmanagedType.LPWStr)] string lpSubKey);
        [DllImportAttribute("advapi32.dll", EntryPoint = "RegDeleteKeyW")]
        static extern int RegDeleteKeyW([InAttribute()] IntPtr hKey, [InAttribute()] [MarshalAsAttribute(UnmanagedType.LPWStr)] string lpSubKey);

        static int RegDeleteKeyW_Hooked(IntPtr hKey, [MarshalAsAttribute(UnmanagedType.LPWStr)] string lpSubKey)
        {
            try
            {
                MalMonInject This = (MalMonInject)HookRuntimeInfo.Callback;

                lock (This.Queue)
                {
                    //Time + Pid + Tid + Api + Content
                    This.Queue.Push(ActivityMonitor.FormatMessage(DateTime.Now, "RgCreateKeyW", ""));
                }
            }
            catch
            {
            }

            return RegDeleteKeyW(hKey, lpSubKey);
        }

    }
}
